Advisory Overview
The SKOUT Security Operations Center has recently observed an uptick in attack activity involving an emerging Trickbot variant known as Bazar Backdoor. Trickbot is a banking trojan and information stealer that has evolved over the years to fill additional malware roles. Security researchers believe the malware named Bazar Backdoor is a new vairiant of the Trickbot family due to similarities found in the source code. Bazar Backdoor is a sophisticated threat in the sense that it is designed to have low detection capability and the potential impact is severe.
Technical detail and additional information
What is the threat?
The new variant utilizes advanced phishing techniques to lure targets into downloading the malware on a host. These lures use a variety of themes, such as COVID-19 and payroll information, to entice users to click a link and continue the attack. Typically, these emails have links that direct the user to a Google Docs page with a fraudulent landing page designed to mimic Microsoft files or PDFs. When the link is clicked, an executable will be downloaded that utilizes an icon that matches whatever file type the landing page was mirroring. Once this executable is clicked on by the user, the backdoor will be installed on the target host.
Why is this noteworthy?
Once installed, the backdoor injects itself into legitimate processes to obfuscate its existence on the network and adds the process to scheduled tasks in order to maintain persistence. These tactics, combined with the sophisticated phishing campaign, make this variant a potent threat that is difficult to detect.
What is the exposure or risk?
The malicious emails associated with these attacks utilize the legitimate email service Sendgrid to launch the phishing campaigns and the themes used to lure users are generalized and appeal to wide target base. The use of a legitimate email server further complicates detection methods and adds a perception of legitimacy to the email, which can fool unaware users. Additionally, the increased numbers of individuals working from home, and varying levels of user security awareness, can leave any organization open to attack where it only takes one careless or unaware user to click on link that can result in a complete disruption of business operations.
What are the recommendations?
SKOUT recommends providing security awareness training within your organization and following best practices to protect your company and its data against phishing and other social engineering attacks.
• Deploy strong endpoint protection to stop malware pre-execution, such as SKOUT Endpoint Protection.
• Deploy strong email protection to combat against phishing attacks, such as SKOUT Email Protection.
• Avoid interacting with emails from unknown sources.
• Frequently back up device files. If the confidentiality, integrity, and/or availability of data is impacted, it is imperative to have clean backups at hand.
• Implement security monitoring configured to detect related IOCs. SKOUT Network and Log Security Monitoring are currently both configured to detect signs of infection.
References:
For more in-depth information about the recommendations, please visit the following links:
• https://www.zdnet.com/article/new-bazar-backdoor-linked-to-trickbot-banking-trojan-campaigns/
If you have any questions, please contact our Security Operations Center.